#!/bin/sh
env_setup="@env_setup@"
confdir="@confdir@"
testdir="@testdir@"
. ${env_setup}
KRB5_CONFIG="${1-${confdir}/krb5.conf}"
export KRB5_CONFIG
logfile=${testdir}/messages.log
testfailed="echo test failed; cat ${logfile}; exit 1"
${have_db} || exit 77
mkdir -p "${testdir}"
rm -rf "${testdir}/"*
R=TEST.H5L.SE
R2=TEST2.H5L.SE
R3=TEST-HTTP.H5L.SE
port=@port@
kadmin="${kadmin} -l -r $R"
kdc="${kdc} --addresses=localhost -P $port"
server=host/datan.test.h5l.se
server2=host/computer.example.com
serverip=host/10.11.12.13
serveripname=host/ip.test.h5l.org
serveripname2=host/10.11.12.14
alias1=host/datan.example.com
alias2=host/datan
aliaskeytab=host/datan
cache="FILE:${testdir}/cache.krb5"
ocache="FILE:${testdir}/ocache.krb5"
o2cache="FILE:${testdir}/o2cache.krb5"
icache="FILE:${testdir}/icache.krb5"
keytabfile=${testdir}/server.keytab
keytab="FILE:${keytabfile}"
ps="proxy-service@${R}"
aesenctype="aes256-cts-hmac-sha1-96"
kinit="${kinit} -c $cache ${afs_no_afslog}"
klistA="${klist} -A"
klist="${klist} -c $cache"
kgetcred="${kgetcred} -c $cache"
kgetcred_imp="${kgetcred} --out-cache=${ocache}"
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}"
rm -f ${testdir}/${keytabfile}
rm -f ${testdir}/current-db*
rm -f ${testdir}/out-*
rm -f ${testdir}/mkey.file*
> ${logfile}
echo Creating database
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R} || exit 1
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R2} || exit 1
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R3} || exit 1
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
${kadmin} add -p foo --use-defaults foo@${R} || exit 1
${kadmin} add -p bar --use-defaults bar@${R} || exit 1
${kadmin} add -p foo --use-defaults remove@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
${kadmin} add -p foo --use-defaults ${ps} || exit 1
${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
${kadmin} ext -k ${keytab} ${ps} || exit 1
${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1
${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1
${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1
${kadmin} add -p foo --use-defaults foo@${R3} || exit 1
echo "Check parser"
${kadmin} add -p foo --use-defaults -- -p || exit 1
${kadmin} delete -- -p || exit 1
echo "Doing database check"
${kadmin} check ${R} || exit 1
${kadmin} check ${R2} || exit 1
echo "Extracting enctypes"
${ktutil} -k ${keytab} list > ${testdir}/tempfile || exit 1
${EGREP} -v '^FILE:' ${testdir}/tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
awk '$1 !~ /1/ { exit 1 }' || exit 1
${kadmin} get foo@${R} > ${testdir}/tempfile || exit 1
enctypes=`grep Keytypes: ${testdir}/tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'`
enctype_sans_aes=`echo $enctypes | sed 's/aes256[^ ]*//g'`
enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
echo "deleting all but des enctypes on kt-des3 in keytab"
${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1
for a in ${enctype_sans_des3} ; do
${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
done
echo foo > ${testdir}/foopassword
echo Starting kdc
env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${testdir}/malloc-log \
${kdc} &
kdcpid=$!
sh ${wait_kdc} KDC ${logfile}
if [ "$?" != 0 ] ; then
kill -9 ${kdcpid}
exit 1
fi
trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
ec=0
echo "Getting client initial tickets"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
echo "Getting tickets"; > ${logfile}
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
echo "Listing tickets"; > ${logfile}
${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Getting client initial tickets (http transport)"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword foo@${R3} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Specific enctype"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword \
-e ${aesenctype} -e ${aesenctype} \
foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
echo "Getting client initial tickets ($a)"; > ${logfile}
${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
echo "Getting tickets"; > ${logfile}
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
done
echo "Getting client initial tickets"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
echo "Getting tickets ($a)"; > ${logfile}
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server}@${R}
done
${kdestroy}
echo "Getting client initial tickets for cross realm case"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
echo "Getting cross realm tickets ($a)"; > ${logfile}
${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
echo " checking we we got back right ticket"
${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
echo " checking if ticket is useful"
${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server2}@${R2}
done
${kdestroy}
echo "try all permutations"; > ${logfile}
for a in $enctypes; do
echo "Getting client initial tickets ($a)"; > ${logfile}
${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
for b in $enctypes; do
echo "Getting tickets ($a -> $b)"; > ${logfile}
${kgetcred} -e $b ${server}@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server}@${R}
done
${kdestroy}
done
echo "Getting client initial tickets ip based name"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
echo "Getting ip based name tickets"; > ${logfile}
${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
echo " checking we we got back right ticket"
${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
echo " checking if ticket is useful"
${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Getting client initial tickets ip based name (alias)"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
for a in ${serveripname} ${serveripname2} ; do
echo "Getting ip based name tickets (alias) $a"; > ${logfile}
${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
echo " checking we we got back right ticket"
${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
echo " checking if ticket is useful"
${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
done
${kdestroy}
echo "Getting server initial tickets"; > ${logfile}
${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
echo "Listing tickets"; > ${logfile}
${klist} | grep "Principal: ${server}" > /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Getting key for key that are a subset in keytab compared to kdb"
${kinit} --keytab=${keytab} kt-des3@${R}
${klist} | grep "Principal: kt-des3" > /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "initial tickets for deleted user test case"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword remove@$R || \
{ ec=1 ; eval "${testfailed}"; }
${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
echo "try getting ticket with deleted user"; > ${logfile}
${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "cross realm case (deleted user)"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword remove2@$R2 || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
${kadmin} delete remove2@${R2} || exit 1
${kgetcred} ${server}@${R} 2> /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "rename user"; > ${logfile}
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
${kinit} --password-file=${testdir}/foopassword rename@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kadmin} rename rename@${R} rename2@${R} || exit 1
${kinit} --password-file=${testdir}/foopassword rename2@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
${kadmin} delete rename2@${R} || exit 1
echo "rename user to another realm"; > ${logfile}
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
${kinit} --password-file=${testdir}/foopassword rename@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kadmin} rename rename@${R} rename@${R2} || exit 1
${kinit} --password-file=${testdir}/foopassword rename@${R2} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
${kadmin} delete rename@${R2} || exit 1
echo deleting all but aes enctypes on krbtgt
${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
echo deleting all but des enctypes on server-des3
${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1
echo "try all permutations (only aes)"; > ${logfile}
for a in $enctypes; do
echo "Getting client initial tickets ($a)"; > ${logfile}
${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@${R} ||\
{ ec=1 ; eval "${testfailed}"; }
for b in $enctypes; do
echo "Getting tickets ($a -> $b)"; > ${logfile}
${kgetcred} -e $b ${server}@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
echo "Getting tickets ($a -> $b) (server des3 only)"; > ${logfile}
${kgetcred} ${server}-des3@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server}@${R}
${kdestroy} --credential=${server}-des3@${R}
done
${kdestroy}
done
echo deleting all enctypes on krbtgt
${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
{ ec=1 ; eval "${testfailed}"; }
echo "try initial ticket w/o and keys on krbtgt"
${kinit} --password-file=${testdir}/foopassword foo@${R} 2>/dev/null && \
{ ec=1 ; eval "${testfailed}"; }
echo "adding random aes key"
${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
{ ec=1 ; eval "${testfailed}"; }
echo "try initial ticket with random aes key on krbtgt"
${kinit} --password-file=${testdir}/foopassword foo@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
rsa=yes
ecdsa=yes
pkinit=no
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
rsa=no
fi
if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
rsa=no
fi
if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
pkinit=yes
fi
if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
ecdsa=no
fi
if test "$pkinit" = yes -a "$rsa" = yes ; then
echo "try anonymous pkinit"; > ${logfile}
${kinit} --anonymous ${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
for type in "" "--pk-use-enckey"; do
echo "Trying pk-init (principal in certificate) $type"; > ${logfile}
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Trying pk-init (principal in pki-mapping) $type"; > ${logfile}
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Trying pk-init (password protected key) $type"; > ${logfile}
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${testdir}/foopassword foo@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "Trying pk-init (proxy cert) $type"; > ${logfile}
${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
done
if test "$ecdsa" = yes > /dev/null ; then
echo "Trying pk-init (ec certificate)"
> ${logfile}
${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${kdestroy}
grep 'PK-INIT using ecdh' ${logfile} > /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
fi
else
echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > ${logfile}
fi
echo "check renewing" > ${logfile}
${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
echo "kinit -R"
${kinit} -R || \
{ ec=1 ; eval "${testfailed}"; }
echo "check renewing MIT interface" > ${logfile}
${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
echo "test_renew"
env KRB5CCNAME=${cache} ${test_renew} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "checking server aliases"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
echo "Getting tickets"; > ${logfile}
${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
echo " verify entry in keytab"
${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
echo " verify entry in keytab with any"
${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
echo " verify failure with alias entry"
${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \
{ ec=1 ; eval "${testfailed}"; }
echo " verify alias entry in keytab with any"
${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
echo "testing removal of keytab"
${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
echo "Getting client pw expire"; > ${logfile}
${kinit} --password-file=${testdir}/foopassword \
pw-expire@${R} 2>${testdir}/kinit-log.tmp|| \
{ ec=1 ; eval "${testfailed}"; }
grep 'Your password will expire' ${testdir}/kinit-log.tmp > /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
echo " kinit passes"
${test_gic} --client=pw-expire@${R} --password=foo \
--last-request > ${testdir}/kinit-log.tmp 2>/dev/null
${EGREP} "^e type: 6" ${testdir}/kinit-log.tmp > /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
echo " test_gic passes"
${kdestroy}
echo "testing klist -A with KRB5CCNAME set"
${kinit} --password-file=${testdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
export KRB5CCNAME=${cache}
${klistA} > ${testdir}/klist-log.tmp
grep 'Issued' ${testdir}/klist-log.tmp &> /dev/null || \
{ ec=1 ; eval "${testfailed}"; }
echo "testing sendto"
${test_sendto} --realm=${R} || \
{ ec=1 ; eval "${testfailed}"; }
echo "testing sendto (use-large)"
${test_sendto} --use-large --realm=${R} || \
{ ec=1 ; eval "${testfailed}"; }
rm ${testdir}/kinit-log.tmp ${testdir}/klist-log.tmp
echo "killing kdc (${kdcpid})"
sh ${leaks_kill} kdc $kdcpid || exit 1
trap "" EXIT
exit $ec